Date: 2026-07-03
Source: Ransomware.live (Dark Web Leak Site Monitoring)
Analyst: Security Arsenal Threat Intel Unit
Threat Actor Profile — INCRANSOM
INCRANSOM is a notorious ransomware-as-a-service (RaaS) operation known for its aggressive double-extortion tactics. While the core group maintains the encryption payload, they rely heavily on a decentralized network of affiliates to conduct initial access and lateral movement.
- Model: RaaS (Affiliate-based).
- Ransom Demands: Typically ranges from $500,000 to $5 million, varying based on victim revenue and data sensitivity.
- Initial Access: Historically favors exploiting external-facing vulnerabilities (VPN/Firewall appliances) and compromising remote management software (e.g., ScreenConnect). Phishing remains a secondary vector.
- Dwell Time: Short to moderate. Recent analysis suggests an average dwell time of 3–5 days between initial access and encryption detonation.
- TTPs: Known to utilize tools like Cobalt Strike for beaconing, PsExec for lateral movement, and Rclone for rapid data exfiltration prior to encryption.
Current Campaign Analysis
Based on the last 100 postings and live data from July 2026, INCRANSOM has accelerated its operations, specifically targeting critical infrastructure and essential services.
Sector Targeting
The current campaign shows a distinct pivot towards high-value, sensitive data holders:
- Public Sector: High intensity. Recent victims include
oakparkmi.gov(US) andacworth-ga.gov(US). - Healthcare: Critical targeting of vision and rehab centers (e.g.,
hamilton-eye.com,Colorado Rehabilitation and Occupational Medicine). - Geographic Concentration: Primarily United States and Brazil. Secondary activity observed in Great Britain (
roundshield.com) and Italy (sza.it).
Victim Profile
- Size: Mixed, but heavy emphasis on Mid-Market Enterprises (MME) and Municipalities.
- Revenue Estimates: $10M - $200M range based on the footprint of the targeted entities.
Posting Frequency & Escalation
The group has posted 11 victims in the recent cycle, with a concentration of publication dates around July 1-2, 2026. This clustering suggests a coordinated "spamming" effort by affiliates or a mass-exploitation event using a common vulnerability.
CVE Correlation & Initial Access Vectors
We have correlated recent victimology with the CISA Known Exploited Vulnerabilities (KEV) catalog. INCRANSOM affiliates are actively exploiting:
- CVE-2026-50751 (Check Point Security Gateway): Improper authentication in IKEv1. Highly relevant given the targeting of sectors with legacy VPN infrastructure.
- CVE-2024-1708 (ConnectWise ScreenConnect): Path traversal allowing RCE. A perennial favorite for rapid access to managed service providers (MSPs) and internal IT desks.
- CVE-2023-21529 (Microsoft Exchange Server): Deserialization vulnerability. Likely used for access in environments where Exchange is exposed to the internet.
Detection Engineering
The following detection rules and hunts are designed to identify the specific TTPs associated with the current INCRANSOM campaign, focusing on the CVEs listed above and their standard lateral movement procedures.
title: Potential Exploitation CVE-2026-50751 Check Point IKEv1 Anomaly
id: 99b92133-1c44-4f3a-9a2e-5d7c8a1b2c3d
status: experimental
description: Detects potential exploitation of Check Point Security Gateway IKEv1 improper authentication vulnerability (CVE-2026-50751).
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
date: 2026/07/03
modified: 2026/07/03
author: Security Arsenal Intel
logsource:
product: firewall
service: vpn
detection:
selection:
dst_port: 500
protocol: 'udp'
vpn_protocol: 'ike'
ike_version: 1
action|endswith: 'accept'
event_type: 'authentication'
condition: selection
falsepositives:
- Legitimate IKEv1 re-keying (should be rare in modern environments)
level: high
---
title: Suspicious ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)
id: a8c82144-2d55-5g4b-0b3f-6e8d9b2c3d4e
status: experimental
description: Detects path traversal attempts on ConnectWise ScreenConnect indicative of CVE-2024-1708 exploitation.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
date: 2026/07/03
modified: 2026/07/03
author: Security Arsenal Intel
logsource:
category: web
product: connectwise_screenconnect
detection:
selection_uri:
c-uri|contains:
- '..%2f'
- '..\\'
selection_method:
c-method: 'GET'
condition: all of selection_*
falsepositives:
- Unknown
level: critical
---
title: INCRANSOM Lateral Movement via PsExec and WMI
id: b7d93255-3e66-6h5c-1c4g-7f9e0c3d4e5f
status: experimental
description: Detects lateral movement patterns consistent with INCRANSOM affiliates using PsExec and WMI for distribution.
references:
- Internal Research
date: 2026/07/03
author: Security Arsenal Intel
logsource:
category: process_creation
product: windows
detection:
selection_psexec:
Image|endswith:
- '\\psexec.exe'
- '\\psexec64.exe'
CommandLine|contains: 'accepteula'
selection_wmi:
Image|endswith:
- '\\wmic.exe'
- '\\powershell.exe'
CommandLine|contains:
- 'Invoke-CimMethod'
- 'Invoke-WmiMethod'
condition: 1 of selection_*
falsepositives:
- Administrative IT management
level: high
kql
// KQL Hunt for INCRANSOM Pre-Encryption Staging
// Hunts for massive file operations or archival tools (WinRAR/7zip) executed by system accounts
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("winrar.exe", "7z.exe", "winzip.exe", "rclone.exe", "powershell.exe")
| where ProcessCommandLine contains "-p" or ProcessCommandLine contains "config" or ProcessCommandLine contains "sync"
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "explorer.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc
powershell
# Rapid Response Script: INCRANSOM Indicators
# Checks for suspicious scheduled tasks and Volume Shadow Copy manipulation
Write-Host "[+] Checking for tasks created/modified in the last 24 hours..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {
$_.Date -gt (Get-Date).AddHours(-24) -and
$_.Author -notlike '*Microsoft*' -and
$_.TaskName -notlike '*Microsoft*'
} | Select-Object TaskName, TaskPath, Date, Author, State
Write-Host "\n[+] Checking for recent deletion of Volume Shadow Copies (VSS)..." -ForegroundColor Cyan
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($Events) {
$VSSStop = $Events | Where-Object {$_.Message -like '*VSS*' -and $_.Message -like '*stopped*'}
if ($VSSStop) { Write-Host "[ALERT] VSS Service stopped recently. Possible ransomware activity." -ForegroundColor Red }
}
Incident Response Priorities
Based on the INCRANSOM playbook, prioritize the following actions during the first 60 minutes of detection (T-minus):
-
Checklist (Pre-Encryption):
- Isolate compromised VPN concentrators immediately (specifically Check Point devices).
- Check ScreenConnect logs for
..%2fstrings in the last 48 hours. - Look for
vssadmin.exe delete shadowsexecution in EDR logs.
-
Critical Assets for Exfiltration:
- INCRANSOM aggressively targets PII/PHI databases (Healthcare/Public Sector).
- Financial records: Payroll and tax databases.
- Email archives: .pst files are high priority for exfiltration.
-
Containment Actions:
- Urgency 1: Disable internet-facing RDP and VPN access for non-admin users.
- Urgency 2: Revoke credentials for service accounts associated with the ConnectWise ScreenConnect service.
- Urgency 3: Segment backup repositories from the production network.
Hardening Recommendations
Immediate (24 Hours)
- Patch CVE-2026-50751: Upgrade Check Point Security Gateways to the latest fixed version. Disable IKEv1 if not strictly required.
- Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect hotfix immediately. If patching is delayed, block access to the
/Guest/*and/Setup/*paths at the web application firewall (WAF) level. - Audit Exchange: Ensure
CVE-2023-21529patches are applied; block external access to OWA/ECP if not utilized.
Short-term (2 Weeks)
- Architecture: Implement a true Zero Trust Network Access (ZTNA) solution to replace legacy VPN appliances.
- Monitoring: Deploy specific detections for anomalous IKEv1 handshake patterns and ScreenConnect web requests.
- Backup Integrity: Implement immutable backup solutions (WORM storage) for PHI and municipal records.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.